Attackers Targeting Flaws In Dasan Networks Routers

Just days after their disclosure, threat actors began to target flaws affecting GPON home routers manufactured by the South Korean-based company Dasan Networks.

According to an anonymous researcher who published details on the vpnMentor blog last week, there are approximately one million potentially vulnerable devices directly accessible from the Internet.

The researcher’s findings expose two vulnerabilities – an authentication bypass (CVE-2018-10561) and a remote code execution vulnerability (CVE-2018-10562). CVE-2018-10561 essentially allows anyone to access the router’s internal settings simply by appending the “?images” string to any URL, thereby giving over total control of the router’s configuration. The second flaw allows an authenticated attacker to inject arbitrary commands. If the two security flaws are combined, a remote and unauthenticated attacker can acquire complete control of a vulnerable device and potentially the entire network it belongs to, the researcher said. The company published a video summarizing the findings.

The flaws affect Dasan Networks’ GPON-capable routers. GPON is short for Gigabit Passive Optical Network, a kind of technology that supports home Internet connections via optic fiber lines. Typically, Internet service providers (ISPs) initially purchase such routers and then distribute them to their customers.

Most of the vulnerable devices are located in Mexico, Kazakhstan and Vietnam, countries in which ISPs have rolled out their infrastructure on top of Dasan’s GPON devices.

Researchers from Netlab 360, a China-based cybersecurity firm, said that the well-known botnet Satori has already started to infect the Dasan routers. A researcher from Netlab 360 toldArs Technica that the number of daily infected routers is around 13,700, 82% of which are based in Vietnam.

Satori previously infected over 100,000 routers in a mere 12 hours back in December 2017 by exploiting flaws in routers made by Huawei and RealTek. Last month, Satori operators released a variant botnet that infected devices used to mine cryptocurrency.

Queries made on the IoT search index Shodan confirmed the vpnMentor blog researcher’s claim that there over one million GPON home routers exposed to the Internet.

“Depending on what the attacker wants to achieve, he can be spying on the user and any connected device (TV, phones, PC and even speakers like Amazon Echo). Also he can inject malware into the browser which means even when you leave your home network your device would be hacked now,” Ariel Hochstadt, co-founder of vpnMentor, toldSecurityWeek. “If the hacker is resourceful (government etc) he can enable advanced spear phishing attacks, and even route criminal activities through exploited routers (Imagine the FBI knocks on your door telling you they saw someone in your house using your IP address and selling stolen credit card numbers on the dark web).”